Package: avahi-daemon Version: 0.7-4+b1 Severity: important Tags: security Dear Maintainers,
I found a local denial-of-service vulnerability in avahi-daemon. It can be triggered by writing long lines to /run/avahi-daemon/socket and results in an unresponsive busy-loop of the daemon. Steps to reproduce: $ perl -e '$|=1; print "a"x(20*1024+1); sleep 1;' | socat - /run/avahi-daemon/socket $ top --> check that avahi-daemon uses 100% CPU, does not react to any valid requests anymore (at least not using that socket) and does not react to SIGTERM. Note that every local user has access to the socket. Note that in [1], function "client_work()", the code reacts to the filling of its input buffer with disabling the io-watcher, so the io-watcher itself must be at fault (though this specific problem could be fixed in that function by just dropping the whole connection the moment the buffer fills up). [1] https://github.com/lathiat/avahi/blob/master/avahi-daemon/simple-protocol.c Yours Thomas Kremer -- System Information: Debian Release: 10.8 APT prefers stable APT policy: (700, 'stable'), (500, 'oldoldstable'), (500, 'oldstable'), (450, 'testing'), (400, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages avahi-daemon depends on: ii adduser 3.118 ii bind9-host [host] 1:9.11.5.P4+dfsg-5.1+deb10u3 ii dbus 1.12.20-0+deb10u1 ii libavahi-common3 0.7-4+b1 ii libavahi-core7 0.7-4+b1 ii libc6 2.28-10 ii libcap2 1:2.25-2 ii libdaemon0 0.14-7 ii libdbus-1-3 1.12.20-0+deb10u1 ii libexpat1 2.2.6-2+deb10u1 ii lsb-base 10.2019051400 Versions of packages avahi-daemon recommends: ii libnss-mdns 0.14.1-1 Versions of packages avahi-daemon suggests: pn avahi-autoipd <none> -- no debconf information
